New BotSniffer better able to detect foul stench of botnets

Researchers at the Georgia Institute of Technology have unveiled a new program …

Researchers at Georgia Tech have published a paper on BotSniffer—a program they've designed to detect and disable botnets. Botsniffer is not the only bot-detection program available, but the Georgia Tech research team believes that the program's approach to the botnet issue results in a better correlation rate and a lower number of false positives. BotSniffer is designed to detect botnets using either IRC or HTTP protocols, i.e., "push" or "pull" botnets. The program uses a detection method referred to as "Spatial-Temporal Correlation and Similarity" when searching for the presence of a botnet over the network.

Spatial-Temporal Correlation and Similarity relies on the assumption that all botnets, regardless of function, will have to communicate with a master node in order to receive updates and instructions. Unlike humans, botnets tend to communicate in a highly synchronized fashion. BotSniffer specifically watches for these type of "response crowd" communications. If a group of responses qualify as both consistent and synchronous, the systems in question are much more likely to be part of a botnet as opposed to a group of humans communicating with each other. Approaching the problem from this angle allows BotSniffer to theoretically detect the presence of a botnet even when overall network communication is low.

The developers of BotSniffer believe that this type of communication analysis is ultimately superior to methods that rely on signature checking, network-level traffic analysis, or approaches like BotHunter's, which uses an intrusion-detection system. BotHunter cannot detect botnets when only fed IRC information, and it also relies on known signatures. Going forward, BotSniffer developers intend to implement what they refer to as an "activity response crowd homogeneity check," a check that exams various features that multiple computers in a botnet might have in common.

It's one thing to write a paper or publish test results proving a product's capability in a closed-room testing environment, but quite another to demonstrate real-world feasibility. If the BotSniffer team has managed to create a new and better method of combating botnet infestations, however, it'll doubtlessly find a warm home in the hearts of IT gurus and network security officials the world over.